I am trying to localize where my events are located.
- in which indexer
- in which index
- in which bucket
Can I use a search to do that ?
There are internal fields that can tell you that:
< myevent > | eval cd=cd | eval bkt= _bkt | table cd bkt index splunkserver _time source host sourcetype _raw
View solution in original post